Wifi open bsd 4.5

Le Tue, 22 Sep 2009 14:17:09 -0700, nathieb a écrit :

Bonjour,

Bonjour

Je reviens à la charge car je ne sais plus quoi faire .... Je tente de
passer à la version 4.5 de Openbsd mais le hostapd couplé au dhcpd pose
problème
Il a un comportement aléatoire.
je reçois un DHCPDISCOVER mais l'ip ne se fixe pas. Par contre, si je
kill le process hostpad.conf et je le relance, l'adresse se fixe !!!!

j'ai mis en doute mon pf.conf car je l'ai copié d'une 3.9 mais sans
grand changement cela semblait fonctionner tout de suite.

j'avais 'hic' deux réseau car j'avais suivi un tutoriel pour du wifi en
authpf sans l'authentification.
fxp0 adresse public.
10.0.0.0/24 ath0 et 192.168.1.0/24 sis0

le dhcpd_flags="ath0 sis0", mais j'ai lu dans un forum que normalement
je ne devais écouter que sur l'interface sis0 seulement si je fais cela
plus rien .

Si l'interface réseau qui fait point d'acces est ath0 normalement il
faudrait le le laisser. A moins que le daemon hostapd se charge
d'attribuer les adresses. Mais sans le fichier de configuration c'est
difficile à dire.

j'ai un dns local qui répond sur 10.0.0.1 et 192.168.1.1.

A force de tester, je commence à douter du driver ath0 en mode access
point sous la version 4.5.
carte détecter en ar5212.

olivier

Kitoy.

Je ne suis pas un pro openbsd, j'avoue ..


# $OpenBSD: hostapd.conf,v 1.11 2007/02/27 20:53:45 david Exp $
wlan="ath0"
wired="sis0"
# Je dois mettre mon portable ou l'adresse mac de la borne ??

table <myess> {
00:19:D2:CF:67:7F #mon potable ;)
}

set hostap interface $wlan

set hostap mode radiotap

set iapp interface $wired
set iapp mode multicast
hostap handle type management subtype probe request
with iapp type radiotap

hostap handle type data bssid !<myess>
with frame type management subtype deauth reason auth expire
from &bssid to ff:ff:ff:ff:ff:ff bssid &bssid


hostap handle skip type management subtype ! beacon
with log
rate 100 / 10 sec
hostap handle skip type management subtype beacon bssid !<myess>
with iapp type radiotap limit 1 sec

J'ai enlever les commentaires .

J'ai un dns interne en maître, un dhcp aussi qui écoute sur ath0 et
sis




J'ai changé le domain ;)

# $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network: 192.168.1.0/255.255.255.0
# Domain name: my.domain
# Name servers: 192.168.1.3 and 192.168.1.5
# Default router: 192.168.1.1
# Addresses: 192.168.1.32 - 192.168.1.127
#
shared-network LOCAL-NET {
option domain-name "toto.com";
option domain-name-servers 192.168.1.1;

subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
}
}
group{
host camille.blogdns.com{
hardware ethernet 00:04:75:d2:cb:db;
fixed-address 192.168.1.1;
}
host nathalie.blogdns.com{
hardware ethernet 00:0a:5e:06:bf:07;
filename "pxelinux.0";
next-server 192.168.1.3;
fixed-address 192.168.1.2;
}
host charlotte{
hardware ethernet 00:10:dc:e1:9b:55;
fixed-address 192.168.1.3;
}
host juliette {
filename "pxelinux.0";
next-server 192.168.1.3;
hardware ethernet 00:d0:59:7a:40:64;
fixed-address 192.168.1.4;
}
host invite {
hardware ethernet 00:17:42:42:24:f4;
fixed-address 192.168.1.5;
}
host geek {
hardware ethernet 00:50:8B:EE:3F:51;
fixed-address 192.168.1.20;
}
}

shared-network LOCAL-WIFI {
option domain-name "toto.com";
option domain-name-servers 10.0.0.1;

subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
}
}

group{
host juliette {
hardware ethernet 00:14:BF:B0:2B:E5;
fixed-address 10.0.0.2;
}
host invite {
hardware ethernet 00:19:D2:CF:67:7F;
fixed-address 10.0.0.3;
}
host geek {
hardware ethernet 00:0f:3d:ae:aa:a2;
fixed-address 10.0.0.4;
}
}


# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between
interfaces.

#Interface Externe publique
ext_if="fxp0"
ext_ifIP="XX.XX.XX.XX"

#Interface interne wifi
wifi_int="ath0"
#Interface Interne
Int="sis0"
bridge="bridge0"
iNTIP="192.168.1.1"
Loop="lo0"
Gateway="192.168.1.1"
web_server="192.168.1.2"
charlotte="192.168.1.3"
nathalie="192.168.1.2"
invite="ath0"

free_net_host = freeplayer.freebox.fr
free_lan_host = 10.0.0.31
free_lan1_host = 192.168.1.3
free_dst_tcp_ports = "{8080}"
free_dst_udp_ports = "{ 1234 }"

NoRoute="{ 255.255.255.255/32 }"
InServicesTCP = "{21, ssh, auth, http, https, domain, smtp, pop3,
imap,ftp,nntp,6901,rtsp,8081,1812,1813, 5222,6000,6667,2401,873}"
InServicesUDP = "{ 53,67,domain, ntp,nntp,6901,5190,1234,rtsp,
1328,177,1812,1813 }"

set loginterface fxp0
set loginterface sis0
set loginterface ath0
set loginterface bridge0

set limit { states 20000, frags 20000 }
set optimization conservative

#table <spamd> persist
#table <spamd-white> persist

#set skip on { lo $int_if }

scrub in all
#no-df

#-------------------------------------------------------------------------- -
#
#Insertion des règles du nat

nat on $ext_if from 192.168.1.0/24 to any -> fxp0
nat on $ext_if from 10.0.0.0/24 to any -> fxp0
#-------------------------------------------------------------------------- -
#
#Redirection

rdr on $ext_if proto tcp from any to any port 80 -> 192.168.1.2 port
80
rdr pass on $ext_if proto tcp from any to any port 8080 -> 192.168.1.2
port 8080
rdr pass on $ext_if proto tcp from any to any port 4848 -> 192.168.1.2
port 4848
rdr on $ext_if proto tcp from any to any port 443 -> 192.168.1.2 port
443
rdr on $ext_if proto tcp from any to any port 5901 -> 192.168.1.2 port
5901
rdr on $ext_if proto tcp from any to any port 22700 -> 192.168.1.2
port 22700

# Redirection pour obtenir le homeplayer & vlc multipost sur
$free_lan_host
rdr pass on $ext_if proto tcp from $free_net_host to $ext_if ->
$free_lan_host
rdr pass on $ext_if proto udp from $free_net_host to $ext_if ->
$free_lan_host

# Redirection pour bittorrent sur $free_lan_host
rdr pass on $ext_if proto tcp from any to any port 6881:6889 ->
$charlotte
#rdr pass on $ext_if proto tcp from any to any port 5004:6000 ->
$charlotte
rdr pass on $ext_if proto tcp from any to any port 6881:6889 ->
$free_lan_host
rdr pass on $ext_if proto tcp from any to any port 6881:6889 ->
$nathalie
#Gestion du port ftp redirection
#rdr on $Int proto tcp from any to any port ftp -> 127.0.0.1 port 8021
#rdr on $wifi_int proto tcp from any to any port ftp -> 127.0.0.1 port
8021
#-------------------------------------------------------------------------- -
#

#-------------------------------------------------------------------------
# Defaults
# block and log everything
#-------------------------------------------------------------------------
block out log all
block in log all
block return-rst out log on $ext_if proto tcp all
block return-rst in log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in log on $ext_if proto udp all
block in log inet6 all
block out log inet6 all
block in log from no-route to any
block out log quick on $ext_if from ! $ext_ifIP to any
#block in log quick on $Int from ! $INTIP to any

#--------------------------------------------------------------------------
# loopback packets left unmolested, except spoofed
antispoof for $Loop
pass in quick on $Loop all
pass out quick on $Loop all
pass in quick on $bridge all
pass in quick on $wifi_int all
pass out quick on $bridge all
pass out quick on $wifi_int all

#-------------------------------------------------------------------------
# Immediate blocks
# fuzz any 'nmap' attempt
block in log quick on $ext_if inet proto tcp all flags FUP/FUP
block in log quick on $ext_if inet proto tcp all flags SF/SFRA
block in log quick on $ext_if inet proto tcp all flags /SFRA

# don't allow anyone to spoof non-routeable addresses
block in log quick on $ext_if inet from $NoRoute to any
block out log quick on $ext_if inet from any to $NoRoute

#-------------------------------------------------------------------------
# PASS rules : Tout ce que vous voulez !:)
#-------------------------------------------------------------------------
#
# Services provided to the outside world

pass in quick on $wifi_int all
pass out quick on $wifi_int all
pass in log on $ext_if inet proto icmp all icmp-type 8 code 0 keep
state
pass in log on $ext_if inet proto tcp from any to any port
$InServicesTCP flags S/SA modulate state
pass in log on $ext_if inet proto udp from any to any port
$InServicesUDP keep state
pass in log on $invite inet proto tcp from any to any port
$InServicesTCP flags S/SA modulate state
pass in log on $invite inet proto udp from any to any port
$InServicesUDP keep state
pass in log on $ext_if inet proto udp from any to any port 14567 keep
state
pass in log on $ext_if inet proto udp from any to any port 20 keep
state
pass in log on $ext_if inet proto udp from any to any port 23000:23009
keep state

pass in quick on $ext_if from $free_net_host to $free_lan_host flags S/
SA modulate state
#pass in quick on $ext_if from $free_net_host to $free_lan_host flags
S/SA modulate state

#pass in quick on $ext_if proto tcp from $free_net_host to
$free_lan_host port $free_dst_tcp_ports flags S/SA keep state
#pass out quick on $Int proto tcp from $free_net_host to
$free_lan_host port $free_dst_tcp_ports flags S/SA keep state

pass in quick on $ext_if proto udp from $charlotte to $free_net_host
port $free_dst_udp_ports keep state
pass out quick on $Int proto udp from $charlotte to $free_net_host
port $free_dst_udp_ports keep state

#Gestion d'un serveur FTP
pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) user
proxy flags S/SA keep state
#pass in on $ext_if proto tcp from any to any port > 49151 keep state

# Accessible services worlwide
#[snip]

pass out quick on $ext_if inet proto udp from any to any port
$InServicesUDP keep state
pass out quick on $ext_if inet proto tcp from any to any port
$InServicesTCP flags S/SA modulate state
pass out quick on $invite inet proto udp from any to any port
$InServicesUDP keep state
pass out quick on $invite inet proto tcp from any to any port
$InServicesTCP keep state
pass out quick on $ext_if inet proto udp from any to any port 14567
keep state
pass out quick on $ext_if inet proto udp from any to any port
23000:23009 keep state

# Internal Traffic to/though firewall :
#[snip]

# Internal traffic from firewall :
#[snip]

pass in quick on $Int all
pass out quick on $Int all

pass in on $ext_if proto tcp from any to 192.168.1.2 port 80 keep
state
pass in on $ext_if proto tcp from any to 192.168.1.2 port 443 keep
state
pass in on $ext_if proto tcp from any to 192.168.1.2 port 5901 keep
state
#pass in on $ext_if proto tcp from any to 192.168.1.2 port 700 keep
state
pass in on $ext_if proto tcp from any to 192.168.1.3 port 8080 keep
state

#-------------------------------------------------------------------------
# Tunnel IPv6
#-------------------------------------------------------------------------
# [snip] Cf section IPv6
#
# THE END



#pass in on $ext_if proto tcp to ($ext_if) port ssh keep state
#pass in on $ext_if proto tcp to ($ext_if) port > 49151 user proxy
keep state
#pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep
state


le pf.conf un peu dégradé à cause des tests, j'avoue aussi c'est le
bronx faut que le réécrive.


j'ai écrit un resolv.conf.tail pour rajouter l'option file bind en
fin.

bien sûr, j'ai aussi modifié le dhclien.conf en rajoutant.
initial-interval 1;
send host-name "camille";
request subnet-mask, broadcast-address, routers, domain-name,
domain-name-servers, host-name;
supersede domain-name "toto.com";
prepend domain-name-servers 192.168.1.1;

pour avoir mon dns comme pimaire.

apparemment, c'est le foutoir quand je passe tout en 1923.168.1.0/24
meme la carte wifi
le dhcpd répond mais impossible de fixer l'adresse, enfin sauf quand
je kill hostapd.conf
et que je le relance à la main alors la ?? mal configuré ???

donc le pf.conf ne semble pas en doute ???
j'ai pensé au dns, mais la aussi sur une autre machine en 192.168.1.XX
si je fais un
nslookup

server 10.0.0.1
invite ..

je récupère mes donné.

voila ce que je peux voir dans /var/log/daemon



Sep 22 07:59:13 camille hostapd[16862]: ath0/sis0: sent ADD
notification for 00:19:d2:cf:67:7f
Sep 22 07:59:16 camille last message repeated 8 times
Sep 22 07:59:16 camille hostapd[16862]: ath0: (rate: 100/4 sec) 00:0f:
3d:ae:aa:a2 > 00:19:d2:cf:67:7f, bssid 00:0f:3d:ae:aa:a2:
authentication response, <radiotap v0, SHORTPRE, chan 2, 11b, txpower
30dBm>
Sep 22 07:59:16 camille hostapd[16862]: ath0/sis0: sent ADD
notification for 00:19:d2:cf:67:7f
Sep 22 07:59:17 camille last message repeated 2 times
Sep 22 07:59:17 camille dhcpd[23843]: DHCPREQUEST for 10.0.0.31 from
00:19:d2:cf:67:7f via ath0
Sep 22 07:59:17 camille dhcpd[23843]: DHCPACK on 10.0.0.31 to
00:19:d2:cf:67:7f via ath0
Sep 22 07:59:17 camille dhcpd[23843]: DHCPREQUEST for 10.0.0.31 from
00:19:d2:cf:67:7f via sis0
Sep 22 07:59:17 camille dhcpd[23843]: DHCPNAK on 10.0.0.31 to
00:19:d2:cf:67:7f via sis0
Sep 22 07:59:18 camille hostapd[16862]: ath0/sis0: sent ADD
notification for 00:19:d2:cf:67:7f
Sep 22 08:00:01 camille newsyslog[2164]: logfile turned over
Sep 22 07:59:19 camille last message repeated 3 times

avant j'avais DHCPDISCOVER .... DHCPREQUEST et plus plus rien que des
notifications.
j'ai un NACK, problème il répond en sis et ath, mais si je change le
dhcpd_flags="sis0" plus rien ???

Autre bizzarerie de chez openbsd4.5.

j'ai monté alors un bridge sur ath0 et sis0 en bridge0 mais je ne vois
pas d'amélioration.

Voila vous savez tout au presque ... je suis en train de lorgner sur
netbsd ou freebsd, je suis un peu déçu car cela fait
quinze jours que je me bats avec cette version. j'ai mémé l'interface
avec la ligne qui va bien en wpa, mais tant
que cela ne fonctionne pas ... , snif j'aime ma 3.8.
une idée ???

olivier

Le Wed, 23 Sep 2009 01:42:36 -0700, nathieb a écrit :

Je ne suis pas un pro openbsd, j'avoue ..

Je ne suis pas du tout pro openBSD non plus je vous rassure... Enfin peut-
être pas :).

# $OpenBSD: hostapd.conf,v 1.11 2007/02/27 20:53:45 david Exp $
wlan="ath0"
wired="sis0"
# Je dois mettre mon portable ou l'adresse mac de la borne ??

table <myess> {
00:19:D2:CF:67:7F #mon potable ;)
}

Oui c'est bien l'adresse mac du portable qu'il faut mettre.

set hostap interface $wlan

set hostap mode radiotap

set iapp interface $wired
set iapp mode multicast
hostap handle type management subtype probe request
with iapp type radiotap

hostap handle type data bssid !<myess>
with frame type management subtype deauth reason auth expire from
&bssid to ff:ff:ff:ff:ff:ff bssid &bssid


hostap handle skip type management subtype ! beacon
with log
rate 100 / 10 sec
hostap handle skip type management subtype beacon bssid !<myess>
with iapp type radiotap limit 1 sec

J'ai enlever les commentaires .

J'ai un dns interne en maître, un dhcp aussi qui écoute sur ath0 et sis




J'ai changé le domain ;)

# $OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $ #
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information. #

# Network: 192.168.1.0/255.255.255.0 # Domain

name: my.domain

# Name servers: 192.168.1.3 and 192.168.1.5 # Default

router:

192.168.1.1
# Addresses: 192.168.1.32 - 192.168.1.127 #
shared-network LOCAL-NET {
option domain-name "toto.com";
option domain-name-servers 192.168.1.1;

subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
}
}
group{
host camille.blogdns.com{
hardware ethernet 00:04:75:d2:cb:db;
fixed-address 192.168.1.1;
}
host nathalie.blogdns.com{
hardware ethernet 00:0a:5e:06:bf:07;
filename "pxelinux.0";
next-server 192.168.1.3;
fixed-address 192.168.1.2;
}
host charlotte{
hardware ethernet 00:10:dc:e1:9b:55;
fixed-address 192.168.1.3;
}
host juliette {
filename "pxelinux.0";
next-server 192.168.1.3;
hardware ethernet 00:d0:59:7a:40:64;
fixed-address 192.168.1.4;
}
host invite {
hardware ethernet 00:17:42:42:24:f4;
fixed-address 192.168.1.5;
}
host geek {
hardware ethernet 00:50:8B:EE:3F:51;
fixed-address 192.168.1.20;
}
}

shared-network LOCAL-WIFI {
option domain-name "toto.com";
option domain-name-servers 10.0.0.1;

subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
}
}

group{
host juliette {
hardware ethernet 00:14:BF:B0:2B:E5;
fixed-address 10.0.0.2;
}
host invite {
hardware ethernet 00:19:D2:CF:67:7F;
fixed-address 10.0.0.3;
}
host geek {
hardware ethernet 00:0f:3d:ae:aa:a2;
fixed-address 10.0.0.4;
}
}

Il me semble que l'erreur vient du fait que vous ne declarez pas de plage
d'adresse.
Je pense que vous devriez ajouter:

subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.21 192.168.1.254;
}

subnet 10.0.0.0 netmask 255.255.255.0 {
option routers 10.0.0.1;
range 10.0.0.6 10.0.0.254;
}



En esperant vous avoir aidé.

Kitoy.

BOnjour,

Euh non je ne crois pas en fait chaque machine est reconnu par son
adresse MAC
afin d'éviter la prise d'adresses DHCP pirate Tipiak.

le range est pour un plage ;) d'adresse

En tout merci de vous intéresser à mon sort.

olivier